Teens have figured out how to mess with Instagram's tracking algorithm
Teenagers are using group accounts to flood Instagram with random user data that can't be tied to a single person.
Like about a billion other people, 17-year-old Samantha Mosley spent her Saturday afternoon perusing Instagram.
She was taking a glance at the Explore tab, a feature on Instagram that shows you posts tailored for your interests based on algorithms that track your online activities and target posts to your feed.
But unlike many of Instagram's users, Mosley and her high school friends in Maryland had figured out a way to fool tracking by the Facebook-owned social network. On the first visit, her Explore tab showed images of Kobe Bryant. Then on a refresh, cooking guides, and after another refresh, animals.
"I've never looked at animals on this account," Mosley mentioned in Washington, DC. At the hacker conference Shmoocon, along with her father, Russell Mosley, she'd just given a presentation on how teens were keeping their accounts private from Instagram.
Each time she refreshed the Explore tab, it was a completely different topic, none of which she was interested in. That's because Mosley wasn't the only person using this account -- it belonged to a group of her friends, at least five of whom could be on at any given time. Maybe they couldn't hide their data footprints, but they could at least leave hundreds behind to confuse trackers.
These teenagers are relying on a sophisticated network of trusted Instagram users to post content from multiple different devices, from multiple different locations.
If you wanted to confuse Instagram, here's how.
First, make multiple accounts. You might have an Instagram account dedicated to you and friends, or another just for your hobby. Give access to one of these low-risk accounts to someone you trust.
Then request a password reset, and send the link to that trusted friend who'll log on from a different device. Password resets don't end Instagram sessions, so both you and the second person will be able to access the same account at the same time.
Finally, by having someone else post the photo, Instagram grabs metadata from a new, fresh device. Repeat this process with a network of, say, 20 users in 20 different locations with 20 different devices? Now you're giving Instagram quite the confusing cocktail of data.
"They might be like, 'Hey, you posted from this hamburger place in Germany, maybe you like Germany, or hamburgers, or traveling, we'll just throw everything at you,'" Mosley said. "We fluctuate who's sending to what account. One week I might be sending to 17 accounts, and then the next week I only have four."
Facebook said that this method was not against its policies, but didn't recommend it to people because of security concerns.
Nearly everything you do online is tracked. Tech giants like Facebook and Google follow what you do on their services, as well as off. It's why you might start seeing more posts related to puppies on Instagram after purchasing dog food on Amazon, for example.
Apple and Google have advertising IDs for iOS and Android devices, respectively, which allow for targeting in mobile apps based on where you're posting from and what you've been looking at. Similarly, Facebook has its tracking pixels across websites so it knows where you've visited online and can measure data such as if you purchased an item or how long you've been on the page.
Beyond that, companies like LiveRamp partner with hundreds of marketers to help connect offline activities with online identities. Students have found themselves increasingly tracked, sometimes by concerned parents and other times by school administrators using technology like Social Sentinel to mine students' data on social networks.
Video: Teens figured out how to fool Instagram's tracking
Though social networks' public code applies strictly to public posts, data partners use it to obtain a plethora of metadata about people. And tech giants and school administrators aren't the only privacy concerns for students, Mosley said. It's college recruiters and potential employers, too.
"We find out that colleges and jobs are looking for our social media," Mosley said. "We're trying to live our best life and not have to worry about people watching us and watching every moment we make and have that be associated to our real life."
College admissions and employers only know students from their social media posts, says Mosley. But an online identity is different from real life.
"It's an identity people can follow, but we didn't want it to be our true identity that people can find in real life," she said.
Maintaining privacy by hiding in a group isn't a new concept, even as teens start to apply it to Instagram.
Loyalty rewards cards from stores, for example, collect a lot of data about people like their shopping habits and preferences. In return, customers get points or discounts to apply to their purchases. But privacy-savvy shoppers figured out a workaround: They could share the cards through pooling groups online, essentially flooding data brokers with a ton of irrelevant data.
Software developers have also started providing tools to obscure your data on social networks. In 2018, a developer shared a script for a tool that would "poison" your Facebook data by replacing old posts with random lines of code, making it difficult for the social network to build a profile for advertisers.
Jennifer Grygiel, an assistant professor at Syracuse University who studies social media, said the teens' privacy measures were innovative, albeit a little extreme. Still, they saw it as an effective method to counter censorship for students.
"Teens have grown up with knowledge that their privacy is being collected by some of these apps," Grygiel said. "Maybe one of these accounts is critical of their school, or they're engaging in activism and they're worried about repercussion with their local authorities."
They also warned that if any one person posted malicious content on the group, every person involved could be held accountable.
It takes work to keep your data private on Instagram. Not only do you have to coordinate with multiple people on who has access to what account and who's posting for which account at any given time, it requires complete trust that someone won't abuse the access.
Teens shouldn't have to go to those lengths to socialize privately on Instagram, said Liz O'Sullivan, technology director at the Surveillance Technology Oversight Project.
"I love that the younger generation is thinking along these lines, but it bothers me when we have to come up with these strategies to avoid being tracked," O'Sullivan said. "She shouldn't have to have these psyop [psychological operations] networks with multiple people working to hide her identity from Instagram. The platform should just have an account that works and lets people feel safe about being on social media."
Do it for the gram
Mosley discovered the potential of her tactic after making an Instagram account for her First Lego League team in junior high school. The account was shared among members of the team, and they noticed it was serving up different content each time they used it. As an experiment, Mosley shared the account with her cousin, who lived out of state.
That's when she and her friends realized the shared account could be used to obscure their data from Instagram's tracking.
It's different than having a "finsta," a fake Instagram account for posting content you don't want shared to the world, Mosley explained. A finsta account gives you privacy from other people on Instagram, but not from Instagram itself, she said.
"With a finsta, all the traffic is still coming from your device," Mosley said. "If you have it across a group, you can have real data from other people, and the data isn't coming from a VPN, it's coming from someone else's device."
Mosley's father, Russell, delivered the presentation with her at Shmoocon, and later discussed how the group has security measures in place to make sure their other accounts are not compromised if one group member decides to go rogue. Russell Mosley is a chief information security officer at TISTA Science and Technology Corporation, and said he's spent a fair amount of time teaching Mosley about proper security hygiene.
"Samantha has learned from me and her participation at security conferences why password sharing is bad, so when she does it, it's a unique password she doesn't use anywhere else that's generally garbage," he said.
A melting pot of data
The more people there are on one account, the more obscured the data is from Instagram, Samantha Mosley found. On average, one person could have about five people on their account, she said.
In some cases, Mosley knows accounts with about 20 different people each.
So while you would be the only one who could access a public account for potential college admissions officers to see, your account for a school group could be managed by four other people. At the same time you could be in group accounts for another set of people, Mosley explained.
That network would be accessing the accounts and posting on the original owner's behalf, muddying the data that Instagram gets.
The obfuscation network has grown so large there are friends in about nine other countries that are a part of it, with about five people in each country, she said.
To gain trust and access to manage more accounts, Mosley said you have to follow basic ground rules. You can only post content that the original account owner asks for you to post, including the caption, and you aren't allowed to follow anyone or accept any follower requests if the account is private.
"Likes" are a grey area, since you need other people to like various kinds of posts to alter Instagram's targeting. But the original account owner can always request to avoid liking certain types of content.
Mosley noted that people who violate these rules will have their account access revoked. For the most part, this complicated network works for her group of friends. It's also started catching on with other kids at her school, who are making their own group account networks, she said.
"I like knowing that if someone were to find my account, they're not going to be able to track my movement and know, 'she goes to this high school, these hours, she works here, and she's into these different things,'" Mosley said.
Originally published Feb. 2 at 5:00 a.m. PT.
Updated at 6:06 a.m. PT: Added comments from Facebook.